How to Prevent Browser “Cryptojacking”

Post Meta

If you thought your “secure” browser is blocking all these cryptojacking attempts (perhaps you even installed a cryptoblocker extension), think again. Cryptominers are using other people’s browsers to make bank while getting better at evading detection. What have they been up to recently?

*

For readers of this blog who don’t already know, cryptojacking is the process in which a machine’s resources are hijacked and used to mine cryptocurrency. This type of attack can take place in various ways, usually involving the local browser and JavaScript. For more details, check out our “Cryptojacking 101” here.

Lately, cryptojackers have found more ways to hog their victims’ computing resources. Chrome browser extensions offered through the Chrome Web Store were discovered to contain mining code. Ubuntu’s own Snap Store has been supplying software with “miners” built in.

One-two punch: ransomware+cryptojacking

Even garden-variety malware now usually comes equipped with miners. A new variant of the Rakhni ransomware now contains a cryptocurrency miner. It uses logical conditions expressed in the environment to determine whether the system should be used to mine, or if it should be ransomed. More details about this new variant can be found here.

Another malware documented here detected as “TROJ64_COINMINER.QO” leverages not only WMI (Windows Management Instrumentation) to remain fileless and persistent, but also the EternalBlue exploit to propagate. Packing this one-two punch, it then reaches its final stage and starts mining away in stealth mode.

Is Cryptojacking the new money maker for cybercriminals? A recent report by researchers at security firm McAfee indicates that much. McAfee Labs count of total coin miner malware rose by 629% in Q1 of 2018 alone, to more than 2.9 million samples.

The business for new JavaScript mining tools is booming as well. One vendor, coinimp.com, claims its developers “react and work hard to unblock it” from AdBlock or Anti-Viruses.
Another notable player is Coinhive, a popular platform used for legitimate purposes as well as for cryptojacking.

Few hurdles for in-browser miners

Cryptojackers are looking forward to a rosy future. So far, in-browser JavaScript-based miners barely face any obstacles when tapping into users’ machines through the local browser. All it takes is for the user to visit a webpage that utilizes the JavaScript code. Coinhive, a company that employs this technique, makes setting up such pages easy.

Coinhive enables cryptojackers to create a script to load on any webpage that causes visiting browsers to start mining XMR (Monero cryptocurrency) in the background. While Coinhive also provides an authorized mining option, the main attraction for many cryptocurrency “entrepreneurs” is its unauthorized mining mode - no popup, no warning for the victim.

Distribution via hacked websites and online ads

User visits site. JavaScript is rendered. User’s machine begins mining. It’s as simple as that and easy to manage for the cryptojackers, but a mounting challenging for end users and IT managers. How are the stealthy mining scripts get embedded on the many websites that are needed to make the effort worthwhile for the crypto-crooks?

Recent months have seen a wave of site break-ins to embed this script. The site owners themselves may never know, but all their traffic is monetized by cryptojacking networks. In addition to the spiked browser extensions mentioned earlier, there have also been reports of online advertisements containing miners displayed and rendered on sites.

So how can you prevent this from happening to you? A straightforward but unreliable way would be to use traditional anti-virus tools that block browser cryptocurrency miners. Another approach involves browser extensions (such as NoScript) that prevents the rendering of specific JavaScript sequences. Did I mention that local browser extensions can - and frequently do - open the door for additional dangerous exploits?

Beware “solutions” that add to the problem

Another problem with these “solutions” is that miners can be difficult to detect. Anti-mining software faces the same challenges as anti-virus tools, which are always behind the curve and known to introduce additionals risks. Methods to obfuscate browser-based cryptocurrency mining scripts abound, so detecting and blocking all delinquent JavaScript variants remains similarly elusive.

One of many ways of evading detection is through proxy servers. Typically, anti-mining extensions and anti-virus vendors will just block the domain and not the actual Javascript object. This amounts to not more than empty feelgood activism, in my book. It doesn’t accomplish anything. Here’s what I mean:

Hide-and-seek, and seek, and seek...

Let’s say that the embedded script comes from Coinhive. It will generally be located here: coinhive.com/lib/coinhive.min.js Let’s also assume that someone were to take that script and just relocate it, or perhaps wholly reverse engineer it to work with their own site - essentially, setting up a Coinhive clone.

As a result, the script’s location would change and look roughly like this: clonedomain.name/lib/miner.js

The outcome is predictable. Browser extensions or AV tools that block such scripts by just grouping domains will miss the mark and are doomed to fail. The cloaked script will tap into your IT resources and keep the crypto money machine humming.

So what if someone caught on to what’s going on? No hurdle for the crypto-racketeers. It takes them less than 15 minutes to buy a new domain, set up a new server, and re-configure the mining script. AV vendors won’t be able to keep track of every domain and server that utilizes cryptocurrency mining.

Obfuscated code, obedient browser

But what about the actual script itself? For cryptomining crooks who don’t want to waste time and money on playing the catch-me-if-you-can domain game, is there a way to just obfuscate the script? The answer is yes. This is how it works:

Let’s assume that the coinblocker extension or AV product is blocking scripts based on their known signature as stored in a database. Meaning, it blocks the way in which the script looks like in plain text and not the actual activity of the script.

There are methods in which an attacker can obscure their code to look different. Here are two sample Coinhive scripts, one plain and one obfuscated:

You probably guessed it already: these two scripts are identical when they are rendered in the browser. This level of obscurity will dupe Coinblocker that are blocking scripts based on their known profiles. The document.write() function directly places the code into the template.

In the next step, the unescape() function decodes the encoded string. Here the string is encoded in hex, but it can be encoded in base64, binary, octal, etc. To make obscurity even more “efficient”, one can obscure in all encodings and decode multiple times. Your browser will do the bidding of the cryptojackers and still render the script equal to its non-encoded counterpart.

To meter or not to meter?

One popular method of detecting browser cryptocurrency mining relies on monitoring CPU/GPU usage. Put simply, if a particular component (like CPU or GPU) on the computer is throttling at a high rate due to a single process, the tool assumes the machine is mining.

Yes, monitoring system components for load spikes can ferret out miners - but will it make much of a difference?

Well, no - not really.

That’s because attackers can easily limit via a percentile how much of a victim’s computer resources the cryptomining script will be allowed to hog. An attacker can, for example, specify that only 50% of the victim’s CPU resources are to be used. This will make it harder for the victim to detect the mining activity. This may also limit the net amount of mined cryptocurrency, but that’s a price attackers are willing to pay for preventing detection.

Attempting to track down all possible forms of cryptojacking is futile. As with other types of malware defense and detection, the defender would always be one step or more behind, because the possibilities for trickery are endless.

What's next, and how to protect yourself

For years, other malware has evaded detection through encryption, loading binaries into memory, process doppelgänging, et al. If it hasn’t done so already, cryptojacking is likely to soon enter that realm of sophisticated evasion methods (comparable to these sandbox busters). Local browsers provide cryptocurrency exploiters with unlimited possibilities, i.e., vulnerabilities.

We should not be surprised if cryptojackers eventually combined exploit kits and mining scripts to get deep inside the browser for elevated mining processes (making GPU mining possible), which in return could yield higher profits.

Cyptocurrency is their reward, and your browser serves as the gateway to the motherload. The only adequate response to this growing threat is to use a hardened browser that runs off-site and isolated in the cloud, with centrally managed and monitored security measures in place that prevent such exploits.

Disconnect from the crypto-mining craze by using a cloud browser. This way, all mining code will get neutralized before it can even reach your IT perimeter, and will never touch the computer you connect from.

Watch this video to see how it works and how you can prevent all cryptocurrency miners from hijacking your browser:

*

Amir Khashayar Mohammadi is a Computer Science and Engineering major who focuses on malware analysis, cryptanalysis, web exploitation, and other cyber attack vectors.

Guest Contributor - Authentic8 welcomes suggestions and submissions from guest contributors. Blog posts should be relevant, non-promotional and add valuable and actionable insights for improving IT security on the web.